From rezaf at mindspring.com Mon Apr 1 14:18:01 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Mon, 1 Apr 2013 08:18:01 -0400 Subject: [anti-abuse-wg] A Network without contact! Message-ID: <0E45D3FB4A164D3083D9BA239313E13D@admin36565265a> Hello, Thank you all for your input about a network that did not provide an e-mail contact information. As Wout de Natris clearly pointed out, even Scania's telephone number was incorrect! So, to the ones who had recommended I call the network to report an abuse/spam, you cannot even trust the phone numbers provided. Either lack of abuse /spam reporting contact for networks has become more noticeable, as we find out that the contact channels provided are incorrect, or do not even exist. Here is another example. I tried to report a Spam that had come from IP address [204.116.102.91] which belongs to Spirit Telecom. Their Whois information shows the following: OrgName: Spirit Telecom OrgId: IAVE Address: 1500 Hampton Street City: Columbia StateProv: SC PostalCode: 29201 Country: US RegDate: 1993-07-01 Updated: 2011-12-01 Comment: FOR ABUSE Reports Please E-Mail noc at spirittelecom.com or Call, 888-864-7226 Comment: For Law Enforcement Agencies Subpoena Request and Info Please E-Mail customercare at spirittelecom.com or Call 800-686-7671 Ref: http://whois.arin.net/rest/org/IAVE ---- But after sending my report to noc at spirittelecom.com, I received this error message: Delivery has failed to these recipients or distribution lists: noc at spirittelecom.com The recipient's e-mail address was not found in the recipient's e-mail system. ---- Considering the time differences, and often language barrier, calling a network may not be possible. So, as strange as it may sound, networks need to provide a channel so that others could contact them and report network violations. Here, I have copied Spirit Telecom's other contacts so that they could know about this problem at their network. Thank you, Reza Farzan rezaf at mindspring.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Pepijn.Vissers at acm.nl Tue Apr 2 09:55:34 2013 From: Pepijn.Vissers at acm.nl (Vissers, Pepijn) Date: Tue, 2 Apr 2013 07:55:34 +0000 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> Message-ID: <612FDD73642D544098B908E8AA1665D91AC6E3A3@ex2087.acm.local> Although the contact info is clearly wrong, as Wout nicely pointed out, this is an EARLY_REGISTRATION and as such Scania had in days long gone preregistered a large chunck of IP space. As you can see it's a /16, registered in '91. So Scania should have been contacted during the ERX project (http://www.ripe.net/lir-services/resource-management/erx) to give unused space back to the community. As you can see here (https://stat.ripe.net/148.148.0.0-148.148.255.255?sourceapp=ripedb#tabId=at-a-glance) it *is * announced, trough AS1257. So the contact information could be wrong because it's old - in a time far far away we had 9-digit telephone numbers in NL. Pepijn Van: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] Namens Reza Farzan Verzonden: vrijdag 29 maart 2013 13:19 Aan: RIPE Anti-Abuse WG Onderwerp: [anti-abuse-wg] A Network without contact! Hello All, Here is a network that I came across which does not have any contact information: inetnum: 148.148.0.0 - 148.148.255.255 netname: SCANIF descr: Scania Nederland B.V. descr: P.O. Box 618 descr: 8000 AP Zwolle country: NL admin-c: RS3212-RIPE tech-c: RS3212-RIPE status: EARLY-REGISTRATION mnt-by: ERX-NET-148-148-MNT mnt-lower: ERX-NET-148-148-MNT mnt-routes: ERX-NET-148-148-MNT changed: hostmaster at arin.net 19910418 changed: hostmaster at arin.net 19910418 changed: er-transfer at ripe.net 20031003 source: RIPE person: Roelof Sondaar address: Scania Nederland B.V. Potbus 61S address: 8000 AP Zwolle address: NL phone: +31 30977966 nic-hdl: RS3212-RIPE mnt-by: RIPE-ERX-MNT changed: hostmaster at arin.net 19910628 changed: er-transfer at ripe.net 20031003 source: RIPE How can someone contact this network? Does anyone know? Thank you, Reza Farzan -------------- next part -------------- An HTML attachment was scrubbed... URL: From niall.oreilly at ucd.ie Tue Apr 2 12:02:54 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Tue, 2 Apr 2013 11:02:54 +0100 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: <612FDD73642D544098B908E8AA1665D91AC6E3A3@ex2087.acm.local> References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> <612FDD73642D544098B908E8AA1665D91AC6E3A3@ex2087.acm.local> Message-ID: On 2 Apr 2013, at 08:55, Vissers, Pepijn wrote: > So Scania should have been contacted during the ERX project > (http://www.ripe.net/lir-services/resource-management/erx) and almost certainly were. > to give unused space back to the community. I suspect you may be wishfully retro-fitting a goal to the ERX project. Best regards, Niall O'Reilly From BECHA at ripe.net Tue Apr 2 14:01:58 2013 From: BECHA at ripe.net (Vesna Manojlovic) Date: Tue, 02 Apr 2013 14:01:58 +0200 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: <612FDD73642D544098B908E8AA1665D91AC6E3A3@ex2087.acm.local> References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> <612FDD73642D544098B908E8AA1665D91AC6E3A3@ex2087.acm.local> Message-ID: <515AC8B6.4030501@ripe.net> Dear Reza, Pepijn, list, On 4/2/13 9:55 AM, Vissers, Pepijn wrote: > Although the contact info is clearly wrong, as Wout nicely pointed out, > this is an EARLY_REGISTRATION and as such Scania had in days long gone > preregistered a large chunck of IP space. As you can see it?s a /16, > registered in ?91. > > > > So Scania should have been contacted during the ERX project > (http://www.ripe.net/lir-services/resource-management/erx) to give > unused space back to the community. > > > > As you can see here > (https://stat.ripe.net/148.148.0.0-148.148.255.255?sourceapp=ripedb#tabId=at-a-glance) > it *is * announced, trough AS1257. Since you already pointed out the use of RIPEstat, I would like you to take a look at the "Abuse Contact Finder" widget, that gives contact details for AS1257: https://stat.ripe.net/special/abuse#abuse-contact-finder.resource=148.148.0.0 (please take a look at "show complete details" & methodology) Regards, Vesna From leo.vegoda at icann.org Tue Apr 2 16:15:10 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Tue, 2 Apr 2013 07:15:10 -0700 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> <612FDD73642D544098B908E8AA1665D91AC6E3A3@ex2087.acm.local> Message-ID: <5648A8908CCB564EBF46E2BC904A75B15FF1684729@EXVPMBX100-1.exc.icann.org> Hi, Niall O'Reilly wrote: On 2 Apr 2013, at 08:55, Vissers, Pepijn wrote: > > > So Scania should have been contacted during the ERX project > > (http://www.ripe.net/lir-services/resource-management/erx) > > and almost certainly were. > > > to give unused space back to the community. > > I suspect you may be wishfully retro-fitting a goal > to the ERX project. Yes. My memories of the project are that the goal was simply to move registrations from ARIN's database to RIPE's database. Registrants were given the opportunity to take control of their registration data and to make updates but were not required to do anything. Regards, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5475 bytes Desc: not available URL: From kranjbar at ripe.net Wed Apr 3 14:35:27 2013 From: kranjbar at ripe.net (Kaveh Ranjbar) Date: Wed, 3 Apr 2013 14:35:27 +0200 Subject: [anti-abuse-wg] [news] Phase 1 Update: Abuse Contact Management in the RIPE Database Message-ID: [Apologies for duplicate emails] Dear colleagues, Phase 1 of ripe-563 "Abuse Contact Management in the RIPE Database" is now being implemented, as announced on 19 March 2013. According to ripe-563, all resources allocated or assigned by the RIPE NCC will need to have an abuse contact email address included in their RIPE Database registration. During the first six months of implementation (phase 1), all Local Internet Registries (LIRs) must add an abuse contact attribute ("abuse-c:") to their LIR's ORGANISATION object to provide abuse contact information for all of the allocated address space under their LIR. Since the initial announcement two weeks ago, we are pleased to report that 24.8% of the RIPE NCC's allocated IPv4 address space is already covered with an abuse contact. More statistics will be sent to the RIPE Anti-Abuse Working Group mailing list. In phase 1, we will send notifications to LIRs that haven't added abuse contact information to their LIR's ORGANISATION object. If this information is not added by the LIR by the end of phase 1, we will automatically add the LIR's contact email address (which is already publicly listed at: ) as their abuse contact. LIRs can always change this information as needed. More information on the implementation plan, including phase 2 (covering PI space and ASNs) is available on RIPE Labs at: ------------------------------- How to add "abuse-c" ------------------------------- An explanation of how to add "abuse-c:" to an LIR's ORGANISATION object as well as how to fine-tune abuse contact information for sub-allocations and assignments is outlined here: Please kindly consider adding abuse contact information as soon as possible to the ORGANISATION object(s) you control or maintain in the RIPE Database. Kind Regards, Kaveh Ranjbar, RIPE NCC Database Group Manager -------------- next part -------------- An HTML attachment was scrubbed... URL: From Pepijn.Vissers at acm.nl Tue Apr 9 14:37:52 2013 From: Pepijn.Vissers at acm.nl (Vissers, Pepijn) Date: Tue, 9 Apr 2013 12:37:52 +0000 Subject: [anti-abuse-wg] Notice from our chairman (no, not spam) In-Reply-To: <612FDD73642D544098B908E8AA1665D91AC7D07C@ex2087.acm.local> References: <612FDD73642D544098B908E8AA1665D91AC7D02A@ex2087.acm.local> <612FDD73642D544098B908E8AA1665D91AC7D07C@ex2087.acm.local> Message-ID: <612FDD73642D544098B908E8AA1665D91AC7D4AB@ex2087.acm.local> Hello RIPE AAWG, Because my old organization is no more, please find below a message from the chairman of the Authority for Consumers & Markets. My team is still operationally responsible for (amongst other things) the mitigation of spam and malware in the Netherlands. --> Dear international colleague, It is my great pleasure to inform you of the launch on 1 April 2013 of the Netherlands Authority for Consumers & Markets (ACM). The ACM will replace the Independent Post and Telecom Authority (OPTA), the Netherlands Consumer Authority and the Netherlands Competition Authority (NMa). We kindly request that you replace our current membership details with the membership details of ACM. Please note also that while our current email addresses retain their validity, all our email addresses are, in the future: first_name.last_name at acm.nl. The ACM will continue to implement and enforce the existing legislation of the OPTA, CA and the NMa. International cooperation is an important theme for the Authority for Consumers and Markets. We look forward to continuing our fruitful relationship with you. Kind regards, Chris Fonteijn Chairman of the ACM <-- Kind regards, Pepijn Vissers Enforcement official [cid:image001.gif at 01CE352E.A4EB39D0] T: +31 70 7222848 M: +31 6 24533268 Muzenstraat 41 2511 WB The Hague The Netherlands P.O. Box 16326 2500 BH The Hague The Netherlands www.acm.nl www.consuwijzer.nl [cid:image002.gif at 01CE352E.A4EB39D0] * This e-mail is intended for the exclusive use of the recipient and may contain confidential information. Read here the disclaimer that applies to this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 3633 bytes Desc: image001.gif URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.gif Type: image/gif Size: 3057 bytes Desc: image002.gif URL: From ripe-anti-spam-wg at powerweb.de Fri Apr 26 10:29:45 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 26 Apr 2013 10:29:45 +0200 Subject: [anti-abuse-wg] [news] Phase 1 Update: Abuse Contact Management in the RIPE Database In-Reply-To: References: Message-ID: <517A3AF9.5010305@powerweb.de> Kaveh Ranjbar wrote: Hi, now its one month later, could you please present actual stats ? Because our stats do not show any real progress: date spams from RIPE-IP without contact with contact % with contact 2013.04.25 1664 1064 600 36% 2013.04.24 1426 908 518 36% 2013.04.23 1110 663 447 40% 2013.04.22 974 607 367 37% 2013.04.21 826 538 288 34% 2013.04.20 806 499 307 38% 2013.04.19 918 541 377 41% 2013.04.18 2113 1429 684 32% 2013.04.17 4079 2637 1442 35% 2013.04.16 2310 1482 828 35% 2013.04.15 3192 2130 1062 33% 2013.04.14 1272 849 423 33% 2013.04.13 1195 795 400 33% 2013.04.12 716 462 254 35% 2013.04.11 1083 620 463 42% 2013.04.10 701 378 323 46% 2013.04.09 587 293 294 50% 2013.04.08 519 282 237 45% 2013.04.07 457 266 191 41% 2013.04.06 418 224 194 46% 2013.04.05 311 183 128 41% 2013.04.03 460 266 194 42% 2013.04.02 476 258 218 45% 2013.04.01 412 223 189 45% 2013.03.31 241 156 85 35% 2013.03.30 351 217 134 38% 2013.03.29 320 173 147 45% 2013.03.28 517 301 216 41% 2013.03.27 950 660 290 30% 2013.03.26 889 492 397 44% 2013.03.25 1526 1053 473 31% 2013.03.24 851 606 245 28% 2013.03.23 5051 4037 1014 20% 2013.03.22 1692 1259 433 25% 2013.03.21 1290 964 326 25% contact is an available abuse-c contact or a contact with abuse-mailbox-field as returned by "whois -b" right column shows the percentage of spam we receive from the RIPE-region which have an abuse contact Kind regards, Frank > [Apologies for duplicate emails] > > Dear colleagues, > > Phase 1 of ripe-563 "Abuse Contact Management in the RIPE Database" is > now being implemented, as announced on 19 March 2013. > > According to ripe-563, all resources allocated or assigned by the RIPE > NCC will need to have an abuse contact email address included in their > RIPE Database registration. During the first six months of > implementation (phase 1), all Local Internet Registries (LIRs) must add > an abuse contact attribute ("abuse-c:") to their LIR's ORGANISATION > object to provide abuse contact information for all of the allocated > address space under their LIR. > > Since the initial announcement two weeks ago, we are pleased to report > that 24.8% of the RIPE NCC's allocated IPv4 address space is already > covered with an abuse contact. More statistics will be sent to the RIPE > Anti-Abuse Working Group mailing list. > > In phase 1, we will send notifications to LIRs that haven't added abuse > contact information to their LIR's ORGANISATION object. If this > information is not added by the LIR by the end of phase 1, we will > automatically add the LIR's contact email address (which is already > publicly listed at: ) as their > abuse contact. LIRs can always change this information as needed. > > More information on the implementation plan, including phase 2 (covering > PI space and ASNs) is available on RIPE Labs at: > > > ------------------------------- > How to add "abuse-c" > ------------------------------- > > An explanation of how to add "abuse-c:" to an LIR's ORGANISATION object > as well as how to fine-tune abuse contact information for > sub-allocations and assignments is outlined here: > > > Please kindly consider adding abuse contact information as soon as > possible to the ORGANISATION object(s) you control or maintain in the > RIPE Database. > > Kind Regards, > > Kaveh Ranjbar, > RIPE NCC Database Group Manager > -- Mit freundlichen Gruessen, Frank Gadegast -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From brian.nisbet at heanet.ie Fri Apr 26 11:55:38 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 26 Apr 2013 10:55:38 +0100 Subject: [anti-abuse-wg] Updated Agenda, AA-WG Session at RIPE 66 Message-ID: <517A4F1A.6040407@heanet.ie> Colleagues, This is the draft agenda for the RIPE 66 meeting. The WG session will take place on Thursday 16th May at 14:00 BST. RIPE 66 will be taking place in the Burlington Hotel, Dublin. We've added an introduction to Europol's European Cybercrime Center (EC3), which means Tobias' x-arf presentation will only happen if we have spare time. If it doesn't take place in Dublin, we'll keep it for RIPE 67 in Athens. A. Administrative Matters * Welcome * Scribe, Jabber, Stenography * Microphone Etiquette * Approve Minutes from RIPE 65 * Finalise agenda B. Update * B1. Recent List Discussion * B2. CleanIT Project Close-Off * B3. AA-WG Charter C. Policies * RIPE Policy 2011-06 * RIPE Policy Proposal 2013-01 D. Interactions * D1. Working Groups * D3. RIPE NCC Gov/LEA Interactions Update * D4. An Introduction to European Cybercrime Centre - Richard Leaning E. Presentation * E1. "Save money online without killing yourself" - Michele Neylon & ASOP X. A.O.B. Z. Agenda for RIPE 67 From kranjbar at ripe.net Fri Apr 26 13:01:31 2013 From: kranjbar at ripe.net (Kaveh Ranjbar) Date: Fri, 26 Apr 2013 13:01:31 +0200 Subject: [anti-abuse-wg] [news] Phase 1 Update: Abuse Contact Management in the RIPE Database In-Reply-To: <517A3AF9.5010305@powerweb.de> References: <517A3AF9.5010305@powerweb.de> Message-ID: <522E9A3A-D891-4FF1-B185-5A75A7079565@ripe.net> Hello, Looking at each network listed in the latest version of RIPE NCC's Delegated stat file (ftp://ftp.ripe.net/ripe/stats/delegated-ripencc-extended-latest) which covers all of the address space issued in the RIPE region: -------- NETWORK NUMBERS: Total Number of v4 allocations listed: 20,488 Number of v4 allocations covered with abuse-c: 4,377 or 21.3% of v4 allocations Total Number of v4 PI assignments listed: 28,676 Number of v4 PI assignments covered with abuse-c: 516 or 1.8% of v4 assignments Total Number of v6 allocations listed: 5,584 Number of v6 allocations covered with abuse-c: 1,104 or 19.8% of v6 allocations Total Number of v6 assignments: 1,376 Number of v6 assignments covered with abuse-c: 56 or 4% of v6 assignments Total Number of objects: 56,124 (IPv4: 49,164 IPv6: 6,960) Number of objects covered with abuse-c: 6,053 or 10.7% (IPv4: 9.9% IPv6: 16.6%) -------- IPv4 NETWORK SIZES: Total size of v4 allocation listed: 594,421,760 Size of v4 allocations covered with abuse-c: 186,387,456 or 31.3% Total size of v4 PI assigned listed: 169,759,544 Size of v4 PI assigned covered with abuse-c: 4,030,400 or 2.3% Total size of listed v4 addresses: 764,181,304 Size of listed v4 addressed covered with abuse-c: 190,417,856 or 24.9% Taking v4 as an example, 24.9% of address space is already covered by an "abuse-c:" contact which consists of 21.3% of networks allocated by RIPE NCC to its members and 1.8% of PI assigned objects. Please note that the current phase -which will continue until end of september- is focused on allocations (31.3% of address space is covered now). In the coming months, we will send multiple reminders to members who haven't added an "abuse-c:" to their LIR's organisation object and at the end of this phase, we will automatically add the public LIR email address as the abuse contact email address for that member's allocated objects. Members will always be able to change those contacts but they won't be able to remove the "abuse-c:" attribute from the LIR's organisation object. Looking more closely at the v4 numbers, it is also visible that although 58% of the v4 networks listed are assignments they only count for 22.2% of size of addresses in the RIPE region. This might not directly correlate with abuse statistics though, as it is possible that for some reason spammers prefer one flavour of addresses over another one. Please let me know if you have any further questions. All the best, Kaveh. --- Kaveh Ranjbar, RIPE NCC Database Group Manager On Apr 26, 2013, at 10:29 AM, Frank Gadegast wrote: > Kaveh Ranjbar wrote: > > Hi, > > now its one month later, could you please present actual stats ? > > > Because our stats do not show any real progress: > > date spams from RIPE-IP without contact with contact % with contact > 2013.04.25 1664 1064 600 36% > 2013.04.24 1426 908 518 36% > 2013.04.23 1110 663 447 40% > 2013.04.22 974 607 367 37% > 2013.04.21 826 538 288 34% > 2013.04.20 806 499 307 38% > 2013.04.19 918 541 377 41% > 2013.04.18 2113 1429 684 32% > 2013.04.17 4079 2637 1442 35% > 2013.04.16 2310 1482 828 35% > 2013.04.15 3192 2130 1062 33% > 2013.04.14 1272 849 423 33% > 2013.04.13 1195 795 400 33% > 2013.04.12 716 462 254 35% > 2013.04.11 1083 620 463 42% > 2013.04.10 701 378 323 46% > 2013.04.09 587 293 294 50% > 2013.04.08 519 282 237 45% > 2013.04.07 457 266 191 41% > 2013.04.06 418 224 194 46% > 2013.04.05 311 183 128 41% > 2013.04.03 460 266 194 42% > 2013.04.02 476 258 218 45% > 2013.04.01 412 223 189 45% > 2013.03.31 241 156 85 35% > 2013.03.30 351 217 134 38% > 2013.03.29 320 173 147 45% > 2013.03.28 517 301 216 41% > 2013.03.27 950 660 290 30% > 2013.03.26 889 492 397 44% > 2013.03.25 1526 1053 473 31% > 2013.03.24 851 606 245 28% > 2013.03.23 5051 4037 1014 20% > 2013.03.22 1692 1259 433 25% > 2013.03.21 1290 964 326 25% > > contact is an available abuse-c contact or a contact with > abuse-mailbox-field as returned by "whois -b" > > right column shows the percentage of spam we receive from the > RIPE-region which have an abuse contact > > > Kind regards, Frank > >> [Apologies for duplicate emails] >> >> Dear colleagues, >> >> Phase 1 of ripe-563 "Abuse Contact Management in the RIPE Database" is >> now being implemented, as announced on 19 March 2013. >> >> According to ripe-563, all resources allocated or assigned by the RIPE >> NCC will need to have an abuse contact email address included in their >> RIPE Database registration. During the first six months of >> implementation (phase 1), all Local Internet Registries (LIRs) must add >> an abuse contact attribute ("abuse-c:") to their LIR's ORGANISATION >> object to provide abuse contact information for all of the allocated >> address space under their LIR. >> >> Since the initial announcement two weeks ago, we are pleased to report >> that 24.8% of the RIPE NCC's allocated IPv4 address space is already >> covered with an abuse contact. More statistics will be sent to the RIPE >> Anti-Abuse Working Group mailing list. >> >> In phase 1, we will send notifications to LIRs that haven't added abuse >> contact information to their LIR's ORGANISATION object. If this >> information is not added by the LIR by the end of phase 1, we will >> automatically add the LIR's contact email address (which is already >> publicly listed at: ) as their >> abuse contact. LIRs can always change this information as needed. >> >> More information on the implementation plan, including phase 2 (covering >> PI space and ASNs) is available on RIPE Labs at: >> >> >> ------------------------------- >> How to add "abuse-c" >> ------------------------------- >> >> An explanation of how to add "abuse-c:" to an LIR's ORGANISATION object >> as well as how to fine-tune abuse contact information for >> sub-allocations and assignments is outlined here: >> >> >> Please kindly consider adding abuse contact information as soon as >> possible to the ORGANISATION object(s) you control or maintain in the >> RIPE Database. >> >> Kind Regards, >> >> Kaveh Ranjbar, >> RIPE NCC Database Group Manager >> > > > -- > > Mit freundlichen Gruessen, Frank Gadegast > -- > MOTD: "have you enabled SSL on a website or mailbox today ?" > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ====================================================================== > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Sat Apr 27 12:17:59 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Sat, 27 Apr 2013 12:17:59 +0200 Subject: [anti-abuse-wg] abuse contact responsibilities Message-ID: <517BA5D7.10607@powerweb.de> Hi all, I like to raise questions about what kind of responsibilities an abuse contact should have and look forward for comments or experiences you have with other providers. We currently have a case with a bigger hosting company (mostly doing serverhousing) from the RIPE region. They have one abuse contact with one single abuse mailaddress for all IPs and rather big netblocks used for serverhousing. We had to find out, that the only thing they do with incoming abuse reports, is to forward them to their customers which actually rent the equipment. The don't try to find the security hole themself, the don't block outgoing email from intruded and misused servers, they do nothing but this forwarding. Surely, the end customers are not familiar with intrusion detection, have no UNIX/Windows skills and have no background knowledge, they can mostly work a servers control panel, and that's it. The provider is surely to lazy to insert an abuse contact for every customer he has. So: - should an ISP not try to work out any abuse problem together with the customer, if the abuse contact address is his ? - should he not be forced to enter different abuse contacts to RIPEs DB, if he does not want to work the cases ? - is there already any kind of regulation, what an abuse contact has to do ? - if not, should there be one ? Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From leo.vegoda at icann.org Sat Apr 27 17:20:47 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Sat, 27 Apr 2013 08:20:47 -0700 Subject: [anti-abuse-wg] abuse contact responsibilities In-Reply-To: <517BA5D7.10607@powerweb.de> References: <517BA5D7.10607@powerweb.de> Message-ID: <74ED7E2D-382F-4C70-803C-5DD53BCAC82F@icann.org> Hi Frank, On Apr 27, 2013, at 3:17 am, Frank Gadegast wrote: [?] > I like to raise questions about what kind of > responsibilities an abuse contact should have > and look forward for comments or experiences > you have with other providers. Can you please define what you mean by responsibilities? Are you referring to some kind of contractually enforced minimum requirements or are you thinking of something closer to industry best practices? Thanks, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4359 bytes Desc: not available URL: From ripe-anti-spam-wg at powerweb.de Sat Apr 27 17:44:22 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Sat, 27 Apr 2013 17:44:22 +0200 Subject: [anti-abuse-wg] abuse contact responsibilities In-Reply-To: <74ED7E2D-382F-4C70-803C-5DD53BCAC82F@icann.org> References: <517BA5D7.10607@powerweb.de> <74ED7E2D-382F-4C70-803C-5DD53BCAC82F@icann.org> Message-ID: <517BF256.5040102@powerweb.de> Leo Vegoda wrote: > Hi Frank, Hi Leo, > > On Apr 27, 2013, at 3:17 am, Frank Gadegast wrote: > > [?] > >> I like to raise questions about what kind of >> responsibilities an abuse contact should have >> and look forward for comments or experiences >> you have with other providers. > > Can you please define what you mean by responsibilities? Are you referring to some kind of contractually enforced minimum requirements or are you thinking of something closer to industry best practices? > Actually both and more :o) Soon all netblocks will have an abuse address, but now its time to ask whats happening after everybody could get abuse reports. What do ISPs on this list do with abuse reports they receive ? What is their experience with other ISPs not on this list when they are reporting abuse to those ? What actions are covered by current RIPE regulations (I guess simply none, just asking this to be sure) ? Are there any regulations in other countries already covering any kind of abuse action ? Is there any kind of discussion between RIPE and legal entities in specific countries or the industry to force any kind of abuse action ? What do all of you LIKE as regulations (addresses need to be valid, addresses should be able to receive mail (no mailbox full errors aso)) ? Should it be the NCCs job to deal with complaints about not working abuse addresses ? An example: we already collect a list of abuse ignorant ISPs and their abuse addresses, simply because its not worth delivering abuse reports to addresses that always fail ... Kind regards, Frank > Thanks, > > Leo > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From peter at hk.ipsec.se Sat Apr 27 17:47:30 2013 From: peter at hk.ipsec.se (peter h) Date: Sat, 27 Apr 2013 17:47:30 +0200 Subject: [anti-abuse-wg] abuse contact responsibilities In-Reply-To: <517BA5D7.10607@powerweb.de> References: <517BA5D7.10607@powerweb.de> Message-ID: <201304271747.31641.peter@hk.ipsec.se> On Saturday 27 April 2013 12.17, Frank Gadegast wrote: > > Hi all, > > I like to raise questions about what kind of > responsibilities an abuse contact should have > and look forward for comments or experiences > you have with other providers. > > We currently have a case with a bigger hosting > company (mostly doing serverhousing) from the > RIPE region. They have one abuse contact with > one single abuse mailaddress for all IPs > and rather big netblocks used for serverhousing. What provider is this ? Why do you hide their name ? > > Kind regards, Frank > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ====================================================================== > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From kjz at gmx.net Sun Apr 28 13:46:44 2013 From: kjz at gmx.net (Karl-Josef Ziegler) Date: Sun, 28 Apr 2013 13:46:44 +0200 Subject: [anti-abuse-wg] anti-abuse-wg Digest, Vol 20, Issue 7 Message-ID: <517D0C24.7010509@gmx.net> On 28.04.2013 12:00, wrote anti-abuse-wg-request at ripe.net: > What provider is this ? Why do you hide their name ? May it be that the name of this provider begins with H and spamcop is routing all abuse reports for this provider to /dev/null because this provider only does forwarding (also to spammers) and nothing else? Best regards, - Karl-Josef From ripe-anti-spam-wg at powerweb.de Sun Apr 28 17:23:02 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Sun, 28 Apr 2013 17:23:02 +0200 Subject: [anti-abuse-wg] anti-abuse-wg Digest, Vol 20, Issue 7 In-Reply-To: <517D0C24.7010509@gmx.net> References: <517D0C24.7010509@gmx.net> Message-ID: <517D3ED6.5030101@powerweb.de> Karl-Josef Ziegler wrote: > On 28.04.2013 12:00, wrote anti-abuse-wg-request at ripe.net: > >> What provider is this ? Why do you hide their name ? > > May it be that the name of this provider begins with H and spamcop is > routing all abuse reports for this provider to /dev/null because this > provider only does forwarding (also to spammers) and nothing else? Good guess, your right with both. I used to lots of ISPs ignoring reports completely, some do really take care and fix holes pretty perfect and quick. But having an abuse address, policy and doing like, if they are good guys and then leaving it to the uneducated end user is really hypocritically and insincere, so I was pretty puzzled with this one ... Anyway, I dont want to talk bad about others, more interested in getting feedback, what will happen after everybody HAS an abuse address. Kind regards, Frank > > Best regards, > > - Karl-Josef > > >